Got any stories of people who's security practices were so bad it was entertaining?

At one of my old jobs, immediately after being hired the sys admin(aka some random HR person of questionable intelligence) made me an account for their computer systems. They informed me that everyones username was the first letter of their first name them their lastname, for example: "dsmith". And then they told me that my password was "pass123", the same as everyone else including the store manager becuase she felt it was easier for everyone to remember that way. So I thought any time I wanted to I could just login as a manager and give myself a raise or as the sys admin and do anything I want?I found this so amusing that I literally laughed out loud. I never brought these concerns to anyones attension though, because I didn't particularly care for the company.

I went to a clients business for a computer error and found out all files, information, SSID, and everything on every employee and patient was available at my finger tips and available to all employees. Home address, even some had banking information. That's only part 1. Next, I found out all information transferred between them with personal information was over email. Imagine a doctors office sending you all your information unencrypted over email. No thanks Jeff.

Part 3, their router username/pass (for such a high profile business) was admin/admin. I'm not complaining though, I was paid over $900 for all of this to be fixed, changing how they operate, etc.

Oh, and just about every computer there had some form of virus, some of them having keyloggers because the employees go on websites and games at work. So sending patient information over unencrypted email with keyloggers.

Seems legit. I wonder how other doctors offices are when things like this are going on.

Last year at school, I was in the library guessing people's passwords at logon. This one guy had the password "123456". It was really hilarious.

Also, at my desktop, there was this Q: drive that not even the admin had access to. Funny, however, when I was saving a Word 2007 document, the Q: drive popped up as "Q: (App Virt)" and I could go in and have access to all of it.

At my university it is possible to get onto any drive of a logged on PC, including C: and flash drives. I also found the PHP config data of their website. There is no antivirus on any PC. The student website login is unencrypted and I managed to sniff my own password as proof.

I ran a keylogger on one PC as proof and accidentally forgot about it for about a week. A friend later reminded me so I rushed to take it off. It included gmail, facebook, and student accounts. Scary to think what a black hat would do with that information. IRC is unblocked and I ran clients on about 10 PC's to show the possibility of a bot net.

Also near the end of a semester we wrote an online exam. The result from almost 200 students trying to log on at once is their server crashed.

At one college I attended, the doors to several of the labs had a lock/unlock toggle pushbutton on the edge of the door with the latch. When you open the door with the key, you push the button to unlock it for everyone, and you push the other one to lock it.

Some doors had a security plate over the mechanism. Many doors didn't.

I opened these labs regularly with a car key by sliding it between the door and the jamb and levering it to push the button while the door was closed.

I pointed this out once to my professor, but as far as I know nothing ever came of it.

At my previous job, login:password to all computers ware the company name.(to be fair it was a domain login, so not full admin, although nothing was actually disabled and it was win XP )My login for their database software(do we even call a MS access thing software?) ware my initials and so was the password. It gave me access but some things ware disabled. But it also gave me full database access.. "please don't change things directly in the database! except when the software fails and you need to fix things" which was about 5 times a day.We had access to a network drive where we had to store random things. There was also a network drive where the execs put all their files, like financial data emails etc etc. It was simply not mounted by default but there was nothing preventing you from doing so.The private site to submit vacation time was riddled with SQLi holes. Literally every thing you could exploit was exploitable and this was accessible from the web.The IT guy would need to get permission from the boss to work on it to fix it and that guy was a cheap bastard who refused to pay for anything, so obviously nothing got fixed apart from net send being disabled by default.

EDIT: nov 22 2012Said company just went bankrupt.

<Yoda> if someone says something i don't like, i ban him, ban whoever defends him, and then ban the witnesses...

well even though i don't know MUCH i did find, to my delight, that the powers that be @ this one job i had as a collections rep didn't have the common sense to disable the developer tools for their client interface system....this had to be the most horrible job i've ever had the displeasure to work...when i lined up a new job and was in my last week as a collector, i did SOOOOOOOOOOOOOOOOOOOOOOOOO much document.write and the hilarious part was that no one ever figured out why i kept receiving strange, never before seen error messages/codes--my personal favorite "fatal exception: 666 SATAN LIVES"

and i'd just sit innocently and quietly while they poked and prodded and finally would just tell me to reboot my system (which took about 15 minutes to do due to their shitty computer systems)

My friend and I were at school, both working on a project with laptops, next to each other. He went to ask the teacher about the project, and he hadn't logged on yet, so I decided to take a crack at it. First guess was his first name, and guess what, it logged on. Being the friend that I was, though, I told him and he changed the password the same day.Funny thing however, apparently no one guessed the password correctly for 3 years until I came along...

this one isn't even funny...the place where i just started working has all of its system passwords EVEN the manager/administrator's set as. . . . . . . . . .wait for it. . . . . . . .wait for it. . . . . . . . . . .PASSWORD!! all small letters, no variations i tried to respectfully and humbly suggest to my boss that this wasn't the best idea, but he assured me that *no one* would ever try to break into the systems...and besides, the main server is somewhere in florida